plugx | 0e3e47697539f1773fb53114ab53229c0304d86ed35aec05e5f5bfdf3bd35f9a

General

Target

AvastProxy.exe
Size

56KB
MD5

feac3e6946ab9b39c66a8756a4a7468f
SHA1

b490fbb91ebf327173940f3ed93f518191abb5e8
SHA256

560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23
SHA512

55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.systeminfor.com:80

www.systeminfor.com:53

www.systeminfor.com:25

Attributes

folder
AvastProxyBpC

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
888	AvastProxy.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	AvastProxy.exe
1860	AvastProxy.exe
888	AvastProxy.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AvastProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastProxyBpC = "\"C:\\ProgramData\\AvastProxyBpC\\AvastProxy.exe\" 724"	AvastProxy.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	AvastProxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastProxyBpC = "\"C:\\ProgramData\\AvastProxyBpC\\AvastProxy.exe\" 724"	AvastProxy.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu	AvastProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY	AvastProxy.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AvastProxy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
888	AvastProxy.exe
888	AvastProxy.exe
888	AvastProxy.exe
888	AvastProxy.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	AvastProxy.exe
Token: SeDebugPrivilege	888	AvastProxy.exe
Token: SeTcbPrivilege	888	AvastProxy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 888	1860	AvastProxy.exe	27
PID 1860 wrote to memory of 888	1860	AvastProxy.exe	27
PID 1860 wrote to memory of 888	1860	AvastProxy.exe	27
PID 1860 wrote to memory of 888	1860	AvastProxy.exe	27

C:\Users\Admin\AppData\Local\Temp\AvastProxy.exe
"C:\Users\Admin\AppData\Local\Temp\AvastProxy.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860
- C:\ProgramData\AvastProxyBpC\AvastProxy.exe
  C:\ProgramData\AvastProxyBpC\AvastProxy.exe 724
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AvastProxyBpC\AvastProxy.exe

Filesize
56KB

MD5
feac3e6946ab9b39c66a8756a4a7468f

SHA1
b490fbb91ebf327173940f3ed93f518191abb5e8

SHA256
560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

SHA512
55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

Download Submit
C:\ProgramData\AvastProxyBpC\main.dat

Filesize
135KB

MD5
29aa748c0d3ad949b656528997beca28

SHA1
7db32103fefa0612c24f3940a17a5a1793ca7bb7

SHA256
f7a7eca072cb07af2a769bff4729478a9ec714c59e3c1c25410184014ccee18e

SHA512
764195f1292588f883d87c5f980fced838a6d6d9354d1395c45f8ba2d9ed629bff78d4c1fe2cede4b5b192fe26c18d15006d68332b1da97bcb2e19569efd30ff

Download Submit
C:\ProgramData\AvastProxyBpC\wsc.dll

Filesize
76KB

MD5
fc83d5c67de996607b0a59d70e6ff711

SHA1
c44c923ab0331d3f7cee588eb73464ce93cf4ce4

SHA256
5a795c4b2a1a9c76791a516822ae0c9ec9d02780c41d2f6a6960a4ea15d68e34

SHA512
11cd6230ec8906dd91a2719bccb82f59bcbc027ba94959a7aae5614c4e8f9669d736abdaade1cc0d1183bb7db3a7391fc7be14c6e5685e312e5f48a625c83f81

Download Submit
\ProgramData\AvastProxyBpC\AvastProxy.exe

Filesize
56KB

MD5
feac3e6946ab9b39c66a8756a4a7468f

SHA1
b490fbb91ebf327173940f3ed93f518191abb5e8

SHA256
560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

SHA512
55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

Download Submit
\ProgramData\AvastProxyBpC\AvastProxy.exe

Filesize
56KB

MD5
feac3e6946ab9b39c66a8756a4a7468f

SHA1
b490fbb91ebf327173940f3ed93f518191abb5e8

SHA256
560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

SHA512
55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

Download Submit
\ProgramData\AvastProxyBpC\wsc.dll

Filesize
76KB

MD5
fc83d5c67de996607b0a59d70e6ff711

SHA1
c44c923ab0331d3f7cee588eb73464ce93cf4ce4

SHA256
5a795c4b2a1a9c76791a516822ae0c9ec9d02780c41d2f6a6960a4ea15d68e34

SHA512
11cd6230ec8906dd91a2719bccb82f59bcbc027ba94959a7aae5614c4e8f9669d736abdaade1cc0d1183bb7db3a7391fc7be14c6e5685e312e5f48a625c83f81

Download Submit
memory/888-65-0x0000000000448000-0x000000000046B000-memory.dmp

Filesize
140KB

Download
memory/888-66-0x0000000000B20000-0x0000000004751000-memory.dmp

Filesize
60.2MB

Download
memory/888-68-0x0000000000448000-0x000000000046B000-memory.dmp

Filesize
140KB

Download
memory/888-69-0x0000000000448000-0x000000000046B000-memory.dmp

Filesize
140KB

Download
memory/1860-60-0x0000000000548000-0x000000000056B000-memory.dmp

Filesize
140KB

Download
memory/1860-56-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1860-54-0x0000000000548000-0x000000000056B000-memory.dmp

Filesize
140KB

Download
memory/1860-55-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing